Permission to view all indices and create dashboards

lchan · May 27, 2021, 2:32pm

I am looking to give permission SAML user to read all indices and I have done the following:

assign the following permissions with role indices_viewer
Confirm role mapping is setup

However users are still getting 403, what is the next step of troubleshooting?

{
  "indices_viewer" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "*"
        ],
        "privileges" : [
          "read",
          "monitor",
          "view_index_metadata"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Aaron_Caldwell · May 27, 2021, 3:06pm

Hello,

Try looking at the network requests that are getting 403s in your browser debugger. They'll usually have a message in the response that gives clues as to what permissions are missing and needed.

Hope that helps!

Regards,
Aaron

TimV · May 28, 2021, 1:24am

That role does not appear to have access to Kibana.
Are you encountering the 403 error while logging into Kibana? If so, that is a likely cause.

lchan · May 28, 2021, 3:15am

Sorry, I was not specific enough after re-reading my post.

The user are able to login but they are not seeing any indices. The users also have kibana_admin in addition to the above custom role.

However, they are still getting 403 on the dashboards. Is there a built-in user permission to able to read all indices?

PUT _security/role_mapping/CLOUD_SAML_TO_KIBANA_ADMIN
{
  "enabled": true,
  "roles": [
    "kibana_admin"
  ],
    "rules": { "all" : [ 
        { "field": { "realm.name": "okta-realm" } }, 
        { "field": { "groups": "elastic-cloud" } }
    ]},
  "metadata": {
    "version": 1
  }
}

TimV · May 28, 2021, 4:15am

In which case the issue is almost certainly with your role mapping to the indices_viewer role. Tat role is correctly set up to grant read access to all indices, but it doesn't look like your users are being assigned the role.

lchan · May 29, 2021, 5:50pm

Thanks @TimV

The users have roles mapped to kibana_admin and indices_viewer. They can login but not able to see any indices or dashboard from the indices.

So it looks like the roles mapping is not working. Is it possible to see their roles from my account? GET /_security/_authenticate/ doesn't work from my account as I can only see my permissions.

lchan · June 3, 2021, 5:29pm

I confirmed the user are getting indices_viewer but still cannot see any indices or dashboard(cluster health dashboard for instance). So it looks like this is role permission rather?

GET /_security/_authenticate/
{
  "username" : "foo.bar@example.com",
  "roles" : [
    "kibana_admin",
    "indices_viewer",
    "anonymous"
  ],
...

system · July 1, 2021, 5:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.